VirtualBox is a pretty cool (for private use) free virtualization program that I use to have a virtual Windows running on my Linux box. One nice feature is that you can use the Remote Desktop Protocol to access virtual machines from another computer.. just it's not totally easy to get that running with authentication enabled. The latter is important because I don't want anyone who somehow managed to hack into my wireless network to get free access to my virtual windows.

So here's the solution:

Create the file /etc/pam.d/vbox_vrdpauth with the following content:

auth required pam_unix.so
account required pam_unix.so broken_shadow

Add the following line to /etc/profile

export VRDP_AUTH_PAM_SERVICE=vbox_vrdpauth

In your virtual machine setup, set the authentication method for vrdp to Extern.

The explanation:

VirtualBox uses PAM to authenticate users on the Linux host machine. PAM is accessing the file /etc/shadow to determine user information and therin lies the problem. VirtualBox is being started by a user and users usually don't have read permission to /etc/shadow. Unless you want to give users read permissions on that file you have to tell PAM to ignore errors when reading from it. That's accomplished by the broken_shadow option in the above module file.

To tell VirtualBox that it should authenticate using the newly created PAM module vbox_vrdpauth we have to set the environment variable VRDP_AUTH_PAM_SERVICE. To do that automatically on login, we add that to /etc/profile.